I am releasing DiscerningFinch, a small toolkit to generate keyed -> encrypted wrappers for .NET binaries. DiscerningFinch itself doesn't know the key and will try to brute force decrypt the inner binary based on OS constants. More details on GitHub => github.com/FuzzySecurity/…

Critical new defenses for OAuth consent phishing: • ✅ Publisher verification [pic 1] • 📋 Customizable app consent policies [pic 2] • 🚷 Globally disallowing user consent to new multi-tenant apps from unverified publishers (on Nov 8) 👉🏼📰 Details: techcommunity.microsoft.com/t5/azure-activ…

I've released NAT Slipstreaming, a spooky new technique that allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s NAT/firewall, just by the victim visiting a website. samy.pl/slipstream/ Happy Halloween!

With 22 0-day exploits, 2020 has officially surpassed 2019 in number of 0-days detected as exploited in-the-wild. As a reminder, Project Zero tracks all publicly known itw 0-day exploits going back to 2014 here: docs.google.com/spreadsheets/d…

Eight years ago Mandiant (part of Google Cloud) made the cover of the The New York Times with its APT1 report. Espionage is a tale as old as time, but I believe this report and this news coverage changed the private sector and forged a new public conversation on the topic. We are all still riding this wave.

Just added `dump` to SharpSphere for dumping LSASS from any powered on Windows VM, without needing guest credentials. DC hosted on vSphere? Your vCenter users are DA. Guide: jamescoote.co.uk/Dumping-LSASS-… Code: github.com/JamesCooteUK/S…

#MTrends 2021 is out! Level-set your perspectives of industry trends with metrics generated from hundreds of frontline incident response investigations. #ByTheNumbers Get your copy here: fireeye.com/mtrends

🚨🚨 New technique to steal AD FS secrets over the network. Defenders need to block internal traffic to AD FS servers over port 80 now! Read more: fireeye.com/blog/threat-re… shoutout to Dr. Nestori Syynimaa who had the same though to look into AD FS replication and all his great work! 1/3

All the hot takes on incidents and threat actors from people who don't actually work the investigations is rich.

At long last - Some research a few of us did in late 2020/early 2021 is live! Check out how we found a way to abuse a P2P protocol to compromise A LOT of smart devices! fireeye.com/blog/threat-re…

Did you know that Microsoft Office documents are actually just ZIP files? It makes for some neat detection opportunities. Today I'm happy to share one that we use on Mandiant (part of Google Cloud) #AdvancedPractices. Read all about it, and get your shiny new tool here: fireeye.com/blog/threat-re…

CyberSecurity should never be considered a separate field but a specialisation area within IT It's like surgery. You can't be a good surgeon without fundamental knowledge of the anatomy, organ functions and illnesses. Without that knowledge, you're just a butcher.

Working with a hex-editor is a very important #DFIR skill. I'm releasing the videos I recorded on how to use the 010 Editor for FREE. These videos were done for our Cyber 5W "Working with Files" course. Your feedback is very important to us! youtube.com/playlist?list=…

New: tried out the newer OMG Cables, one being a Lightning to USB-C cable that looks identical to the real Apple one. But it silently sends everything you're typing on your keyboard to an attacker's device potentially a mile away vice.com/en/article/k78…

Get excited! #FLAREOn8 kicks off this Friday 8PM ET/5 PM PT at flare-on[dot]com. This year’s contest will consist of 10 challenges and feature a variety of formats, including Windows, Linux, and JavaScript. Learn more: feye.io/3zIuwnG

Today Smashing the Stack for Fun and Profit is 25 years old. Older than I was when I wrote it.

Looks like definitely an interesting report, but I can't help but think how "living off the land" is just like Unix hacking in the 90's... I guess Windows systems now have enough useful utilities built-in for attackers to not need to bring their own stack anymore :).

🚨🚨New Tools, Rules, and MORE! 🚨🚨 Today I'm releasing a toolset to hunt for deserialization exploitation by programmatically generating and testing rules: github.com/mandiant/heyse… Check out this blog for a (very) thorough walkthrough of my R&D process mandiant.com/resources/hunt…